Posted
by
Soulskill
on Saturday August 21, 2010 @10:25AM
from the i-can-name-that-bar-in-8-lines dept.

caffeinemessiah writes "With the recent launch of Facebook Places, the rise to prominence of Foursquare and GoWalla, and articles in the New York Times about the increasing popularity of 'checking in' to locations using GPS-enabled mobile phones, a number of businesses are wondering how to reward frequent patrons. But exactly how susceptible are these 'location based services' to being abused? A researcher at the University of Illinois at Chicago shows how easily Foursquare can be gamed in 9 Perl statements, and invites readers to submit more succinct versions of the code to game the system."
An anonymous reader contributes a link to a similar article about spoofing Facebook Places to create an alibi.

I am happy that this is taking off. It's the only way we can fight back against data hoarders.

I propose SOCIAL PHREAKING: We need a P2P client that pretends to be a user of a social network: twitter, facebook, linked in, whatever. The software will login periodically (each client does it at a different rate, in fact, they negotiate.)

The idea is, the various fake accounts form relationships with one another. Every now and then they create a new account and share passwords where they login and 'appear to login' to be from a different location. The growth should be such that it is not suspicious and not an abuse of service. It would make more sense for every node to have only 1 or 2 accounts at most, to simulate families with accounts per family member.

You can use a chat bot to generate the junk that goes into twitter feeds and people's walls. A markov would be a good one.

You can spider nouns, hobbies from Wikipedia and randomly generate names and demographics. Of course they would have to be corrobative with the user's real location.

You can use pictures from the various leaked archives to upload pictures.

You can randomly spider groups and join them and so on.

With enough privacy advocates on the phreaknet should be able to generate enough traffic and data to distort the demographics at least slightly. We could make poison the data hoarders to make them think that everyone loves a certain brand of ice cream and then it would become more popular.

Then the people who abuse the demographics see a amazing opportunity, they are the only ones who can differentiate the distorted and real data.
So they can use their unique knowledge to put themselves ahead of the game.
Assuming there is only one group of people distorting the data in a certain region.
Anyway, who cares if some company knows i like mint ice cream.
Or that I like to go jogging from 4pm - 7pm.
As long as they dont bug my bathroom and take pictures of me in the shower I really don't care.
Act

A very interesting idea, but I think spam shows us that whoever actually developed and implemented such systems would most likely use them to intentionally skew the data towards something they could profit from, rather than adding noise to degrade the data.

How much of your spam is not related to making money off you?

I imagine this massive and convincing network of fake people would suddenly discover that they all love Axe body spray...

How far doesn't matter, only how long. And for virtually everyone, that is 9AM to 5PM or some approximation thereof.
Thieves know you're going to be away for hours, and it only takes them minutes.
You could be out getting milk and they'd have enough time to hit you before you got back.

"Not like there's going to be lots of fancy safeguards to try to prevent you from faking the GPS coordinates - which can come from a device in your control."

Or, for that matter, to prevent others from faking your GPS coordinates? If you opt out of providing your real location, where is your data to prove you WEREN'T at the scene of the crime when someone presents "data" that says you WERE there? Interesting conundrum...

This is not true of the Microsoft-based rand() function though. If you don't seed before you call rand() it will ALWAYS return 42 as the first random number(gee, I wonder if that's a joke), and the subsequent sequence of numbers are also always the same. I always call it to be sure, because what's a few clock cycles to make certain you're truly randomizing?

I thought the same thing, until I ran across a situation in ruby's Passenger, where they were initializing the srand with time or something similar, but of course all the servers were restarted at the same time. This then caused my UUID's to collide in another library because we had removed a 'superflous' srand in our code that was masking the problem.

Just saying you don't always know what the code that isn't yours is doing, so it is probably a good idea to assume it isn't done and do it explicitly.

Yes, in this specific case of 9 lines of code that aren't doing anything with many outside libraries, etc., it may be possible to read the documentation, and assuming the documentation is correct, rely on the default behavior. That is very rarely the case however.

However when I have come across a particular problem that is resolved by being thorough, and ensuring things are initialized, my tendency is to remember that and keep doing it in the future, which is the case for srand/rand.

The author didn't really even try, so it'll be easy to shorten it. Shortening it a lot is left as further exercise. I'll just get rid of some low-hanging fruit. I'm sure Perlmonks [perlmonks.org] will pick up the challenge if they haven't already.

The random number generator is automatically seeded, so get rid of that line.

The results from the socket are assigned to a variable, but that variable is not printed or otherwise used. There's a whole line. It might be friendly to read the data waiting, but it's not necessary to the task.

Rather than assigning to the command-line arguments, the assignment to $str could have included the random perturbations, so there's two more lines.

The only even remotely common one where it isn't is Mac OS Classic (i.e. pre-OSX), nowadays. (Although Windows will convert \n into \r\n on output to a textmode file, this will happen whether it's written as \015\012 or \r\n.) So you don't really gain anything by doing this. (A better method is to set the "binary mode" flag on the filehandle, e.g. by using "binmode" in Perl, in order to turn off platform-specific newline translation; this will avoid the \n to \r\n translation on Windows and not hurt on othe

If "use IO::Socket" counts as one line, just make a module "Foursquare::Mayor" whose import does what you did. Voila, one line! (Or, since we ignored the shebang line (which merely invokes megabytes of interpreter), why not make an executable which....)

Foursquare is a mobile application that makes cities easier to use and more interesting to explore. It is a friend-finder, a social city guide and a game that challenges users to experience new things, and rewards them for doing so. Foursquare lets users "check in" to a place when they're there, tell friends where they are and track the history of where they've been and who they've been there with. For more information on how foursquare works, see our searchable FAQ.
http://foursquare.com/about [foursquare.com]

There's this other application on mobile phones that lets people selectively contact those they want at a particular moment and communicate arbitrary information including that and a bunch more via simultaneous two-way voice.

Well, it just follows that, like just about anything on the web, anyone relying on Foursquare as an absolute reflection of reality is being foolish. I think that as a simple social tool among friends its fine, but for government spook work obviously this ain't your playground. Of course, the news is rife with stories about criminals who don't seem to believe they can be caught by anything they do on-line [economist.com].

Unfortunately, aside from being "cute" for a beer or something, it could conceivably be used as evidence to show that you were in a certain place at a certain time. Exploits like these have to become pretty common before we can be reasonably sure a court will throw out the "evidence" that I checked in at the scene of the crime...

We're sorry, you have spelled Firefox correctly in your Slashdot post. Here at Slashdot, you are supposed to pretend to be all about "teh open sourcez" but spell the names of the all popular F/OSS apps like a retard. Some accepted misspellings are: FireFox, Fire-Fox, Fire Fox, Foxfire, FireFOX, and Mozilla. If you choose the last option, please remember to be consistent and refer to all Adobe Acrobat apps as simply "Adobe."

> NOTE: To get this script to work, you must replace XXXXXX with the Base64> encoded version of "email/phone:password", so base64("john@doe.com:mypassword").> Here's Google's top ranked site for online Base64 encoding.

Yeah, what should go wrong by running your email/password-combo through a server-side Base64 encoder.

The same thing that could go wrong by sending it in Base64 in the first place? It's an encoding, not encryption. Oh, and there are already Perl modules to do Base64 encoding, but I guess importing another module and calling it for something you can calculate once would have just ballooned his line count a whole two lines.

It has been shown many times and it has been shown again: Web 1.0, with all of the glorious unreadable Perl stuff, neatly and cleanly defeats all this Ruby on Rails, gradients-and-rounded-corners, Twitter-compatible, "beta" Web 2.0 nonsense!

It has been shown many times and it has been shown again: Web 1.0, with all of the glorious unreadable Perl stuff, neatly and cleanly defeats all this Ruby on Rails, gradients-and-rounded-corners, Twitter-compatible, "beta" Web 2.0 nonsense!

I can write that script much quicker and cleaner in Ruby. In nine lines, I might even be able to tweet the results, just to annoy you...

Wouldn't a better hack be to spoof the location reported by your phone? After all, if the feds subpoena your cell phone records & get your actual location, wouldn't that destroy your foursquare/facebook alibi (as well as making you look more suspicious)?

To route burglaries. I no longer need to sit outside in my El Camino watching people and trying to guess when they will be gone. no all I need is a entry level programmer to parse all the "places" info in my target area. No longer will our street crew need to be on the street surveilling.

I did a simple Wireshark session with Foursquare's iPhone app and found they're sending my username and password in plain text over HTTP - they don't encrypt anything at all and they do it every time you open the Foursquare app.

You can see the Wireshark screenshot at my :
blog post [blogspot.com].